fix(reusable-trivy): sparse-checkout .trivyignore for the image scan gate#47
Merged
Conversation
…gate The image job's fail-closed Trivy scan never checked out the caller repo, so Trivy's own default .trivyignore auto-discovery (which the image scan type honors just like fs scans) had nothing to find. A repo had no way to document an accepted, unfixable base-image CVE (e.g. a Debian <no-dsa> glibc issue) without the gate blocking every future push indefinitely. Sparse-checkout only .trivyignore, not a full checkout, so this doesn't also pull in a caller's root-level trivy.yaml and silently couple that fs/license-scan config to this unrelated image gate.
Contributor
There was a problem hiding this comment.
Pull request overview
Improves the reusable Trivy image scan gate by ensuring Trivy can discover a caller repository’s .trivyignore without performing a full repo checkout (avoiding unintended auto-loading of repo-level trivy.yaml config during image scans).
Changes:
- Adds a sparse checkout step that fetches only the caller repo’s root
.trivyignoreprior to the Trivy image scan. - Documents the rationale for sparse checkout (enable
.trivyignorediscovery while avoiding config coupling).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
c8d589d to
97290c8
Compare
The referenced iac-license job comment precedes the image job in this file, not follows it. Flagged by Copilot review on PR #47.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
imagejob inreusable-trivy.ymlruns a fail-closed Trivy image scan (exit-code: 1) but never checks out the caller repository. Trivy's default.trivyignoreauto-discovery, which theimagescan type honors the same asfsscans, therefore has nothing to find. A repository has no way to document an accepted, unfixable base-image CVE without the gate blocking every future push indefinitely.This PR adds a sparse checkout of
.trivyignorebefore the scan step (not a full checkout, so a caller's root-leveltrivy.yamldoes not also get silently auto-loaded and coupled to this unrelated image gate; that gap surfaced in local review before this PR was opened). I verified the fix locally against the image that is currently failing (mif-rs'smif-cli, digestsha256:4ac7813...) using the realtrivyCLI:--ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1goes from exit 1 (four unfixed glibc CVEs) to exit 0 once a.trivyignorefile is present.Note on PR #45
fix/reusable-trivy-ghcr-auth(#45) inserts a step at the same location in the same job, immediately aftersteps:and before the Trivy scan step. Whichever PR merges second will hit a trivial textual conflict. Resolve by keeping both new steps; the GHCR login and the.trivyignorecheckout are independent, so their relative order does not matter.Test plan
actionlintpasses clean on the modified workflow filetrivyCLI against the real failing image digest: exit code moves from 1 to 0 once.trivyignoreis present, reproducing this step's effect.trivyignore(a sparse checkout of a nonexistent path is silent; Trivy's behavior is unchanged)image-refcaller to exercise the job directly; verified instead through the downstream mif-rs companion PR)